A newly released proof-of-concept (PoC) exploit has disclosed a severe code-execution vulnerability affecting the Nothing Phone (2a) and the CMF Phone 1, both of which are powered by MediaTek chipsets. The exploit, named “fenrir”, compromises the secure boot process, allowing attackers to execute arbitrary code at EL3, the most privileged level in the ARM architecture.
Flaw in Nothing Phone (2a) and the CMF Phone 1
The issue lies in a logic flaw in how MediaTek devices handle secure boot verification when the bootloader is unlocked. Specifically, the Preloader fails to verify the bl2_ext partition if the seccfg (security configuration) state is set to unlocked. Since bl2_ext is responsible for verifying all subsequent stages of the boot chain, this oversight allows an attacker to load untrusted code with full privileges.
The PoC operates by patching the function sec_get_vfy_policy() in the bl2_ext binary to always return zero. This forces the device to skip verification checks and load any boot image without authentication.
Key technical features of the PoC include:
- Written in Python, C, and shell scripts.
- Automates patching and flashing processes.
- Spoofs the device’s lock state, tricking integrity checks into passing.
- Registers custom fastboot commands and can dynamically call bootloader functions.
Build process:
- Place the original bootloader image in bin/[device].bin.
- Run ./build.sh pacman (or provide a custom path).
- The script generates a patched image: lk.patched.
Flashing process:
- Use ./flash.sh to flash the patched image via fastboot.
- If fastboot is unavailable, alternative flashing tools may be required.
Confirmed Devices and Broader Implications
The exploit has been successfully tested on the Nothing Phone (2a) (codename: pacman) and is known to function on the CMF Phone 1 (tetris), though full support for the latter is still under development. Other MediaTek-powered devices are likely at risk.
One notable example is the Vivo X80 Pro, which, according to the author, doesn’t verify bl2_ext even with a locked bootloader, worsening the security risk.
Once exploited, the device’s entire chain of trust is compromised. Potential outcomes include:
- Installation of unauthorized operating systems.
- Firmware manipulation without detection.
- Circumvention of security features that rely on boot-time integrity.
Warnings and Disclaimers from the Author
The PoC author provides strong warnings:
“I AM NOT RESPONSIBLE FOR BRICKED DEVICES. This exploit can permanently destroy your phone if something goes wrong.”
The project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0), which requires source code disclosure for any public or networked use of the modified software.
Recommendations for Users and Vendors
Until official patches are released:
- Users should avoid unlocking bootloaders.
- Device makers and MediaTek must enforce verification of bl2_ext even in unlocked states.
- Security teams should investigate whether other devices are affected by checking the img_auth_required flag in expdb dumps.
The PoC is actively maintained and includes a roadmap:
- Add full support for more devices.
- Resolve MMU faults during runtime memory modification.
- Develop a stable method for payload appending.
At present, the payload component is experimental. While it cannot yet modify memory at runtime, it supports boot mode control, custom commands, and dynamic function calls within the bootloader.
